OK To Defer Low Severity Vulnerabilities?


Not if a black hat hacker can chain multiple low severity vulnerabilities together to create a critical/high severity vulnerability!


We’ve seen several instances of this tactic with our customers recently

  • Simple SSRF or CLRF can be combined with Unsafe serialization to lead to server takeover.
  • Low severity self XSS can be combined with clickjacking leading to account takeover.
  • Login/Logout CSRF, which exists in about 80% of the web apps we test, when combined with XSS affect account can lead to cookie stealing, which can be further exploited to hijack sessions.

Discovery of the chained vulnerability requires manual testing, static/dynamic vulnerability testing is not sufficient.

We offer manual testing very economically with our certified ethical hackers, let us know if you’d like to receive an actual sample report, or for a free 24-hour test of your app.

Request a 24-hour Free Pen Test or actual sample report at security@appsecuri.com  so you can see the high quality of our work & reports.

Does Static/Dynamic Testing Identify All App Vulnerabilities?

In a word, No. There are certain vulnerabilities can only be identified with manual app testing, suc ...

Read More

Run More Frequent Pen Tests Economically

Running full penetration tests is expensive because it's labour intensive. Unlike malware or vulner ...

Read More
Here you'll find all the latest industry news and research by the experts at Appsecuri.





Congratulations. Your message has been sent successfully.
Error, please retry. Your message has not been sent.

Request our free 24-Hour penetration test and get vulnerability report.

  • Evaluate skills before any type of engagement with Appsecuri.
  • Level-1 Testing with manual approach in addition to static/dynamic.
  • Get a clear picture of root findings with mitigations in the report.
  • 90% of the time we find unknown hidden critical/high vulnerabilities.

Leave a Reply

Your email address will not be published.